‘Speak up’ — 
The ICO’s 
whistleblowing 
policy and 
procedure 


Information Commissioner's Office 


1. Scope 
algal All employees of the Information Commissioner's Office (ICO) and 
other workers undertaking activity on behalf of the ICO. 


To prevent malpractice by the organisation, its employees, agents and 
partners by advising staff how to raise concerns with the 
organisation’s management or, if necessary, with its auditors or 
sponsoring department and advising them of the protection offered by 
the Public Interest Disclosure Act 1998 (‘PIDA’). 


This policy is for ICO staff. It does not cover disclosures made to the 
ICO regarding third parties as a proscribed person under the PIDA. 
Information regarding the ICO’s role that context is available on the 
ICO’s website here. 


3. Introduction 
All organisations face the risk of things going wrong or of unknowingly 
harbouring malpractice. We have a duty to identify and take measures 
to remedy all malpractice particularly with regard to issues of fraud 
and corruption. 


By encouraging a culture of openness within our organisation we 
believe that we can prevent malpractice before it happens. 


We want to encourage you to raise issues which concern you at work. 
We recognise, however, that you may be worried that by reporting 
such issues you will be opening yourself up to victimisation, detriment 
or risking your job security. 


Such fears are understandable, this policy is therefore designed 
provide you with information about the protections offered by PIDA as 
well as the process by which you may raise your concerns. 


By knowing about malpractice at an early stage we stand a good 
chance of taking the necessary steps to safeguard the interests of all 
staff, protect our organisation and stop fraud and corruption before it 
happens. 


In short, do not hesitate to ‘speak up’ or ‘blow the whistle’ on 
malpractice. 
4. Definitions 


4.1 ‘Fraud’: for the purpose of this policy refers to where an individual has 
undertaken, or intends to undertake, actions in order to obtain gain 
for him/herself or another, or cause loss to another, or expose 
another to risk of loss. 
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The term ‘fraud’ encompasses: 
i) Fraud by false representation; 
ii) Fraud by failing to disclose information; and 
iii) | Fraud by abuse of position. 
Descriptions of the above can be found within the Fraud Act 2006. 


4.2 ‘Corruption’ for the purpose of this policy refers to an individual who 
has given or obtained advantage through means which are 
illegitimate, immoral, and/or inconsistent with their duty to the ICO or 
the rights of others. Examples include accepting bribes or incentives 
during procurement processes, seeking to influence others. 


4.3 ‘Malpractice’ for the purpose of this policy refers to actions which may 
be: 

i) illegal, improper, or unethical; 

ii) in breach of a professional code; 

iii) | possible maladministration, fraud or misuse of public funds; 
or 

iv) acts which are otherwise inconsistent with the Staff Code of 
Conduct. 


5. Grievances 
It should be noted that this policy is not our normal grievance 
procedure. If you have a complaint about your own personal 
circumstances then you should use the grievance procedure. If you 


have concerns about malpractice within the organisation then you 
should use the procedure outlined in this policy. 


6. Protection of whistleblowers 

6.1 The management of the ICO is committed to this policy. If the policy 
is used to raise a concern in good faith we give you our assurance 
that you will not suffer any form of retribution, victimisation or 
detriment as a result of your actions. In addition, the PIDA may 
provide you with legal protection in relation to your disclosures if you 
raise your concerns in accordance with that Act. 


6.2 Concerns will be treated seriously and actions taken in accordance 
with this policy. If you ask us to treat the matter in confidence we will 
do our utmost to respect your request. However, it is not possible to 
guarantee confidentiality. If we are in a position where we cannot 
maintain confidentiality and so have to make disclosures we will 
discuss the matter with you first. We will give you feedback on any 
investigation and be sensitive to any concerns you may have as a 
result of any steps taken under this procedure. 


6.3 In some circumstances the ICO may decide that we ought to reveal 


your identity in order to assist in the investigation into the matter. 
You will be advised beforehand if this is the case. 
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6.4 Remember, if you do not tell us who you are it will be much more 
difficult for us to investigate the matter fully, to ask follow-up 
questions, to protect your position or to give you feedback. 
Accordingly, while we will consider anonymous reports, this procedure 
may not be appropriate for concerns that are raised anonymously. It 
will also be more difficult for you to demonstrate your protections 
under PIDA where there is no evidence that it is you who has made 
the disclosure. 


6.5 Whistleblowers receive protection under the PIDA in specific 
circumstances. Further information about the protection afforded 
under PIDA can be found using the resources listed at the end of this 


policy. 


7. Procedure 

7.1 Tell your line manager 
If you are concerned about any form of malpractice you should 
normally first raise the issue with your line manager. There is no 
special procedure for doing this - simply tell them about the problem 
or put it in writing if you prefer. 


At whatever level you raise the issue, you should declare whether you 
have a personal interest in the issue at the outset. If your concern 
falls more properly within the grievance procedure your manager will 
tell you. 


7.2 If you feel unable to tell your line manager 
If you feel you cannot tell your line manager, for whatever reason, 
you should raise the issue with the next tier of management or, if the 
issue is related to financial issues, the Head of Finance (or, in their 
absence, the Director of Resources). If you feel that the issue 
concerns issues of compliance with the legislation regulated by the 
ICO, you may speak with the Head of Risk and Governance (or, in 
their absence, the Director of Risk and Governance). 


If you feel that you cannot disclose to the next tier of management, 
the Head of Finance or the Head of Risk and Governance because you 
believe that the individual may be implicated in the malpractice, you 
should raise the matter in confidence with one of the Senior 
Leadership Team or Executive Team. 


The Senior Leadership Team and Executive Team are entrusted with 
the duty of investigating staff concerns about illegal, improper or 
unethical behaviour. 


You should also approach one of the Senior Leadership Team or 
Executive Team to draw attention to cases where there is evidence of 
irregular or improper behaviour elsewhere in the organisation, but 
where you have not been personally involved, or if you are required to 
act in a way which, for you, raises a fundamental issue of conscience. 
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7.3 If you still have concerns 
If you have reported a matter as described in the above paragraph 
and believe that the response does not represent a reasonable 
response to the issues you have raised, you may report the matter 
directly to the Commissioner. 


7.4 If you feel unable to raise the matter within the ICO 
If you feel that the people within the office with whom you would 
normally raise the issue are parties to, or supportive of, the behaviour 
causing concern, you may report the matter to: 

e The chair of the ICO’s Audit Committee, Ailsa Beaton, who is a 
non-executive member of the ICO’s management board. She 
can be contacted at REDACTED. 

e Our Head of Internal Audit at Mazars, Peter Cudlip, who can be 
contacted on REDACTED. 


7.5 Responding to whistleblowing 
After you have raised your concern we will decide how to respond in a 
responsible and appropriate manner. Usually this will involve making 
internal enquiries first but it may be necessary to carry out an 
investigation at a later stage which may be formal or informal 
depending on the nature of the concern raised. 


If you have raised a concern we will, as far as possible, keep you 
informed of the decisions taken and the outcome of any enquiries and 
investigations carried out. However, we will not be able to inform you 
of any matters which would infringe our duty of confidentiality to 
others. 


7.6 Raising your concern externally (exceptional cases) 
In all but the most exceptional of circumstances concerns about 
malpractice should be raised internally or with the representatives of 
our sponsoring department. 


The purpose of this policy is to give you the opportunity and 
protection you need to raise your concerns internally without 
reporting the concern to external bodies. It is, therefore, expected 
that raising concerns internally will be the most appropriate action to 
be taken in almost all cases and so you must try to do so. 


If, however, you feel you cannot raise your concerns internally the 
PIDA may afford you protection in relation to your disclosure but only 
if you are acting in good faith and if you honestly and reasonably 
believe that your allegations are true. In such circumstances you may 
consider raising the matter with the police or the appropriate 
regulator e.g. Health and Safety Executive, Environmental Health 
Department etc. If you do take this route to whistleblow an issue you 
may be required to demonstrate why you thought the normal internal 
procedure was not appropriate. 
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You are strongly recommended to take advice (see section 7.9 below) 
before following this course of action though, as the PIDA only affords 
protection to whistle blowers in certain circumstances. 


7.7 Wider whistleblowing disclosures 
If you have good reason for not using the internal or regulatory 
disclosure procedures described above, you might consider making 
wider disclosure by reporting the matter to the media, or making a 
posting on the internet. 


Please note, if you have not followed internal procedures, whistle 
blowing disclosures to the media or by other public disclosure will 
generally be considered to be an unreasonable course of action. 
Reporting your concerns for public circulation, even if done in good 
faith, before raising them in accordance with these procedures may 
result in disciplinary proceedings, which could lead to dismissal. 


You are recommended to take legal advice before following this course 
of action though, as the PIDA only affords protection to whistle 
blowers in certain circumstances. In particular, no protection is given 
if the disclosure is made for personal gain. 


7.8 Limits to protection 
It is important to note that a disclosure will not be protected under 
PIDA where you are committing an offence by making that disclosure, 
for example by breaching the Official Secrets Act or Section 132 of the 
Data Protection Act 2018. 


7.9 Sources of advice 
It is recommended to that you obtain advice about whistleblowing and 
PIDA at an early stage if you intend to report malpractice. This is 
important so that you know the extent of the protection which will be 
provided to you under PIDA. 


If you are a member of a trade union you may wish to seek advice 
about raising an issue from a trade union representative. You may 
also wish to seek advice from Public Concern at Work which is in 
independent charity set up to provide advice and guidance about 
whistleblowing issues. Contact details for Public Concern at Work are 
given in Section 9. 


7.10 If you receive a disclosure 
On rare occasions, you may receive a whistleblowing disclosure 
despite not holding any of the positions referred to in paragraph 7.2. 
For example, a disclosure could be received through the post, or via 
casework. In this instance you should forward the disclosure to the 
Head of Risk and Governance as soon as possible. 


8. Malicious whistleblowing 
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8.1 


8.2 


If you are found to have made allegations maliciously and/or not in 
good faith, a disciplinary process may be instigated against you. This 
may result in your dismissal from the ICO. 


It is important to note that as long as you have raised a concern in 
good faith, you will not be subject to disciplinary action even if the 
investigation finds your allegations to be unproven. 


9. Frequently asked questions 


9.1 


9.2 


9.3 


9.4 


9.5 


9.6 


I told my line manager a number of weeks ago that I believe 
that a colleague is misusing ICO resources. Nothing seems to 
have happened since. What should I do? 

Speak with your line manager to ask how the investigation is 
progressing. If you feel that no or insufficient progress has been made 
you must inform your manager's manager. 


I have serious concerns that malpractice is prevalent within 
my team and that my manager, the Senior Leadership Team, 
and Executive Team know about the situation but have chosen 
to ignore it. What should I do? 

You must contact the Commissioner personally and inform him/her of 
your concerns. If you feel the Commissioner is involved in, or 
supportive of, the malpractice you should raise the matter with the 
representatives of our sponsor department as detailed in the 
procedure above. 


I believe that a colleague is stealing from the ICO. How do I 
deal with this? 

This issue should be dealt with by using this whistleblowing 
procedure. You must, therefore, inform your line manager. 


I believe that malpractice is happening within the ICO and I 
am thinking of going to the press about it. What are the 
implications of this? 

You should try to exhaust all internal mechanisms for whistleblowing 
or refer to our sponsoring department or the relevant regulatory body. 
You should be aware that going directly to the press may limit your 
protection under the Public Interest Disclosure Act (PIDA) and you 
may be liable for dismissal. It is advised that you seek advice from 
your trade union, if you are a member, or contact Public Concern at 
Work (whose details are in section 9) before taking this course of 
action. 


What does PIDA do? 

PIDA protects workers who make a protected disclosure of 
information, concerning certain types of matters relating to their 
employment, from being dismissed or penalised by their employers as 
a result of the disclosure. 


Who may claim the protection of PIDA? 
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Members of staff are workers within the definition contained in PIDA 
and may make a qualifying disclosure of information if they 
reasonably believe that the disclosure would tend to show that the 
ICO is involved in a relevant failure as outlined in section 9.7 below. 


9.7 What disclosures are protected? 
Not all disclosures of information are protected by PIDA. Protection 
only arises in relation to protected disclosures. Protected 
disclosures are: 


- qualifying disclosures (defined below) made to an appropriate 
party (see section 9.8. below); and 


- made in accordance with the differing conditions for disclosure 
applying to each different type of recipient of the information. 


A qualifying disclosure is: 


“any disclosure of information which, in the reasonable belief of the 
worker making the disclosure, tends to show one or more of the 
following. 


(a) That a criminal offence has been committed, is being committed 
or is likely to be committed; 


(b) That a person has failed, is failing or is likely to fail to comply with 
any legal obligation to which he is subject; 


(c) That a miscarriage of justice has occurred, is occurring or is likely 
to occur; 


(d) That the health or safety of any individual has been, is being or is 
likely to be endangered; 


(e) That the environment has been, is being or is likely to be 
damaged; or 


(f) That information tending to show any matter falling within any one 
of the preceding paragraphs has been, or is likely to be deliberately 
concealed.” 


PIDA refers to those matters covered by (a) to (f) above as relevant 
failures. 


A disclosure will not be a qualifying disclosure if the person making it 
commits an offence by making it (e.g. if the disclosure would breach 
official secrets legislation or if it would breach Section 132 of the Data 
Protection Act 2018). You would therefore not receive protection 
under PIDA if you made a disclosure in these circumstances. 
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9.8 To whom may a disclosure be made? 
A protected disclosure may be made to one of five types of recipients, 
these are: 


Š the worker's employer; 

- a legal adviser; 

~ a Minister of the Crown (in certain circumstances); 

- a regulatory body (referred to as a prescribed person - 
including the Information Commissioner); and 

- a third party (for example, the media). 


The circumstances in which disclosures may be made vary depending 
upon the intended recipient of the information. 


The most likely recipient of information from ICO staff concerning 
misconduct will be the ICO as the employer of the worker in 
question. To be protected by PIDA, a worker wishing to make a 
disclosure must make sure that s/he reasonably believes that the 
disclosure tends to show a relevant failure and s/he must make the 
disclosure in good faith. 


You may need independent legal advice to direct you in understanding 
this legislation. 


10. Resources 
For more information on whistleblowing and related legislation visit: 
http ://www.pcaw.co.uk 


If you need independent advice about a whistleblowing issue you can 
telephone Public Concern at Work on 020 7404 6609. 


Further information about PIDA is contained in the PIDA Overview 
which can be found in the Human Resources section on ICON. 


‘Malpractice’ — in the context of this policy this may refer to any of the 
following: 


Failure to comply with a legal obligation 

Unprofessional acts 

Misuse or inappropriate use of ICO funds or resources 

A criminal offence 

A miscarriage of justice 

The endangering of an individual's health and safety 

Damage to the environment 

Deliberate concealment of information relating to any of the above 


Whistleblowing policy and procedure, v2.2 February 2020 Page 9 of 9 


